b"\x0c                                            UNCLASSIFIED\n\n                                   United States Department of State\n                                 and the Broadcasting Board of Governors\n                                      Office of Inspector General\n\n\n\n\n                                           Office of Audits\nOffice of Inspector General\n\n\n                                 System Review Report\n                               on the Department of the\n                              Treasury Office of Inspector\n                              General Audit Organization\n                                 Report Number AUD-10-12, November 2009\n\n\n\n\n                                              UNCLASSIFIED\n\x0c                                                              United States Department of State\n                                                              and the Broadcasting Board of Governors\n\n                                                              O.ffice of Inspector General\n\n\n\n\n                                      System Review Report\n\n\n\nTo The Honorable Eric M. Thorson, Inspector General\nDepartment of the Treasury\n\nWe have reviewed the system of quality control for the audit organization of the Department of\nthe Treasury Office of Inspector General (OIG) in effect for the year ended March 31, 2009. A\nsystem of quality control encompasses the DIG's organizational structure and the policies\nadopted and procedures established to provide it with reasonable assurance of conforming with\nGovernment Auditing Standards. The elements of quality control are described in Government\nAuditing Standards. The OIG is responsible for designing a system of quality control and\ncomplying with it to provide the DIG with reasonable assurance of performing and reporting in\nconformity with applicable professional standards in all material respects. Our responsibility is to\nexpress an opinion on the design of the system of quality control and the OIG's compliance\ntherewith based on our review.\n\nOur review was conducted in accordance with Government Auditing Standards and guidelines\nestablished by the Council of the Inspectors General on Integrity and Efficiency (CIGfE).\nDuring our review, we interviewed Department of the Treasury DIG personnel and obtained an\nunderstanding of DIG's audit organization and the design of DIG's system of quality control\nsufficient to assess the risks implicit in DIG's audit function. Based on our assessments, we\nselected engagements and administrative files to test for conformity with professional standards\nand compliance with DIG's system of quality control. The engagements selected represented a\nreasonable cross-section ofOIG's audit organization. Prior to concluding the review, we\nreassessed the adequacy of the scope of the peer review procedures and met with OIG\nmanagement to discuss the results of our review. We believe that the procedures we performed\nprovide a reasonable basis for our opinion.\n\nIn performing our review, we obtained an understanding of the system of quality control for\nDIG's audit organization. In addition, we tested compliance with DIG's quality control policies\nand procedures to the extent we considered appropriate. These tests covered the application of\nOIG's policics and procedures on selected engagements. Our review was based on selected\n\x0ctests; therefore, it would not necessarily detect all weaknesses in the system of quality control or\nall instances of noncompliance with it.\n\nThere are inherent limitations in the effectiveness of any system of quality control; therefore,\nnoncompliance with the system of quality control may occur and not be detected. Projection of\nany evaluation of a system of quality control to future periods is subject to the risk that the\nsystem of quality control may become inadequate because of changes in conditions or because\nthe degree of compliance with the policies or procedures may deteriorate.\n\nThe enclosure to this report identifies the offices of the Department of the Treasury DIG that we\nvisited and the engagements that we reviewed.\n\nIn our opinion, the system of quality control for the audit organization of the Department of the\nTreasury DIG in effect for the year ended March 31, 2009, has been suitably designed and\ncomplied with to provide the Department of the Treasury DIG with reasonable assurance of\nperfonning and reporting in confonnity with applicable professional standards in all material\nrespects. Federal audit organizations can receive a rating of pass, pass with deficiencies, orfail.\nThc Department of the Treasury DIG has received a peer review rating of pass. As is\ncustomary, we have issued a letter dated November 19, 2009, which sets forth findings that were\nnot considered to be of sufficient significance to affect our opinion expressed in this report.\nYour response to the draft report is included as an Exhibit, and excerpts are incorporated into the\nrelevant sections of the letter.\n\nIn addition to reviewing the Department of the Treasury DIG's system of quality control to\nensure adherence with Government Audifing Standards, we applied ccrtain limited procedures in\naccordance with guidance established by elGIE related to the Department of the Treasury DIG's\nmonitoring of engagements performed by Independent Public Accountants (IPA) under contract\nwhcrc the IPA served as the principal auditor. It should be noted that monitoring of engagements\nperformed by IPAs is not an audit and therefore is not subject to the requirements of Government\nAudifing Standards. The purpose of our limited proccdurcs was to dctcnnine whether the\nDcpartment of the Treasury DIG had controls to ensure that IPAs performed contracted work in\naccordance with professional standards. However, our objective was not to express an opinion,\nand accordingly, we do not express an opinion, on the Department of the Treasury DIG's\nmonitoring of work perfonned by IPAs.\n\n\n\nHarold W. Geisel, Acting Inspector General\n\nEnclosure\n\x0c                                             UNCLASSIFIED\n\n\n\n\n                                TABLE OF CONTENTS\n\n     Section                                                                                                           Page\n\nSCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\nLETTER OF COMMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\nLIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\nAPPENDIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n\n\n\n\n                                              UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n                      SCOPE AND METHODOLOGY\n\n        We tested compliance with the Department of the Treasury Office of Inspector\n    General (OIG) audit organization\xe2\x80\x99s system of quality control to the extent we con-\n    sidered appropriate. These tests included a review of 11 of 39 audit and attestation\n    reports issued during the period April 1, 2008, through March 31, 2009, and semian-\n    nual reporting periods of April 1, 2008, through March 31, 2009, as shown in Tables\n    1 and 2. We also reviewed the internal quality control reviews performed by the\n    Department of the Treasury OIG.\n\n        Of these 11 reports, six were performance audits; one was a financial statement\n    audit; and four were OIG\xe2\x80\x99s monitoring of engagements performed by Independent\n    Public Accountants (IPA) where the IPA served as the principal auditor during the\n    period April 1, 2008, through March 31, 2009.\n\n        We visited the Boston, Massachusetts, and Washington, D.C., offices of the De-\n    partment of the Treasury OIG.\n\n         Table 1. Review of Reports Performed by the Department of the Treasury OIG\n\n          Report No. Report Date Report Title\n          OIG-08-030 04/09/08    TERRORIST FINANCING/MONEY LAUNDER-\n                                 ING: Responsibility for Bank Secrecy Act Is Spread\n                                 Across Many Organizations\n          OIG-08-036 06/12/08    BILL AND COIN MANUFACTURING: BEP Needs\n                                 to Enforce and Strengthen Controls at Its Eastern\n                                 Currency Facility to Prevent and Detect Employee\n                                 Theft\n          OIG-08-038 07/21/08    ACCESSIBILITY OF FINANCIAL SERVICES:\n                                 OCC Is Appropriately Using HMDA Data in its Risk\n                                 Assessment Process to Identify Possible Discrimina-\n                                 tory Lending Practices\n          OIG-08-040 07/25/08    CAPITAL INVESTMENTS: Treasury Foreign In-\n                                 telligence Network Project Experienced Delays and\n                                 Project Management Weaknesses\n\n\n\n\nOIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009   1 .\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n                  Report No. Report Date Report Title\n                  OIG-08-041 07/28/08    FINANCIAL MANAGEMENT: Controls Over Trea-\n                                         sury\xe2\x80\x99s Working Capital Fund Expense Process Need\n                                         Improvement\n                  OIG-09-002 10/21/08    Audit of the United States Mint\xe2\x80\x99s Schedule of Custo-\n                                         dial Deep Storage Gold and Silver Reserves as of Sep-\n                                         tember 30, 2008 and 2007 (financial statement audit)\n                  OIG-09-013 11/25/08    SAFETY AND SOUNDNESS: Material Loss Review\n                                         of ANB Financial, National Association\n\n\n\n                Table 2. Review of the Department of the Treasury OIG Monitoring Files of\n                Audit Work Performed by an Independent Public Accounting Firm\n\n                  Report No. Report Date                 Report Title\n                  OIG-08-046 09/26/08                    INFORMATION TECHNOLOGY: Federal Infor-\n                                                         mation Security Management Act Fiscal Year 2008\n                                                         Performance Audit\n                  OIG-09-004 11/07/08                    FINANCIAL MANAGEMENT: Report on the\n                                                         Bureau of the Public Debt Trust Fund Management\n                                                         Branch Schedules for Selected Trust Funds as of and\n                                                         for the Year Ended September 30, 2008\n                  OIG-09-006 11/17/08                    Audit of the Department of the Treasury\xe2\x80\x99s Fiscal\n                                                         Years 2008 and 2007 Financial Statements\n                  OIG-09-021 12/22/08                    Audit of the Department of the Treasury Forfeiture\n                                                         Fund\xe2\x80\x99s Fiscal Years 2008 and 2007 Financial State-\n                                                         ments\n\n\n\n\n2 .   OIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n                             LETTER OF COMMENT\n\n         To The Honorable Eric M. Thorson, Inspector General\n\n         Department of the Treasury\n\n\n\n        We have reviewed the system of quality control for the audit organization of the\n    Department of the Treasury Office of Inspector General (OIG) in effect for the\n    year ended March 31, 2009, and have issued our report thereon dated November 19,\n    2009, in which the Department of the Treasury OIG received a rating of pass. That\n    report should be read in conjunction with the comments in this letter, which were\n    considered in determining our opinion. The findings described below were not con-\n    sidered to be of sufficient significance to affect the opinion expressed in that report.\n\n        Finding 1. Documentation of Fraud Risk Assessment and Internal Con-\n    trol Review\n\n         In two of the six performance audits reviewed, we found that the audit team\n    marked the audit guide\xe2\x80\x99s section on fraud risk assessment as \xe2\x80\x9cNot Applicable\xe2\x80\x9d and\n    did not document in the working papers any explanation for this conclusion. Gov-\n    ernment Auditing Standards, paragraph 7.30, states that auditors, in planning the\n    audit, \xe2\x80\x9cshould assess risks of fraud occurring that is significant within the context\n    of the audit objectives.\xe2\x80\x9d The paragraph further states that auditors \xe2\x80\x9cshould discuss\n    among the team fraud risks, including factors such as individuals\xe2\x80\x99 incentives or pres-\n    sures to commit fraud, the opportunity for fraud to occur, and rationalizations or\n    attitudes that could allow individuals to commit fraud.\xe2\x80\x9d Also, auditors \xe2\x80\x9cshould gather\n    and assess information to identify risks of fraud that are significant within the scope\n    of the audit objectives or that could affect the findings and conclusions.\xe2\x80\x9d In addi-\n    tion, paragraph 7.77 states that auditors \xe2\x80\x9cmust prepare audit documentation related\n    to planning, conducting, and reporting for each audit.\xe2\x80\x9d The audit directors stated\n    that the fraud risk assessments were done during the planning phase but had not\n    been documented. They also stated that these audits pertained to Treasury regula-\n    tors and therefore had less fraud risk.\n\n        Additionally, for these same two performance audits, the audit team marked\n    the audit guide\xe2\x80\x99s section on internal control review as \xe2\x80\x9cNot Applicable\xe2\x80\x9d and did\n    not document in the working papers any explanation for this conclusion. Govern-\n\nOIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009   3 .\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n            ment Auditing Standards, paragraph 7.16, states that auditors \xe2\x80\x9cshould obtain an\n            understanding of internal control that is significant within the context of the audit\n            objectives.\xe2\x80\x9d Within that context, auditors \xe2\x80\x9cshould assess whether internal control\n            has been properly designed and implemented.\xe2\x80\x9d The paragraph further states, \xe2\x80\x9cFor\n            those internal controls that are deemed significant within the context of the audit\n            objectives, auditors should plan to obtain sufficient, appropriate evidence to support\n            their assessment about the effectiveness of those controls.\xe2\x80\x9d Paragraph 7.77, which\n            requires auditors to prepare documentation, is also applicable.\n\n\n\n               Recommendation 1: Department of the Treasury OIG management should\n               comply with Government Auditing Standards and require audit teams to docu-\n               ment why the fraud risk assessment and internal control review are not appli-\n               cable to a performance audit when such is concluded.\n\n\n                In its response to the draft report, the Department of the Treasury OIG official\n            concurred with the finding and recommendation, stating that the need to explain in\n            the audit documentation why a fraud risk assessment or internal control review is\n            considered not applicable for a particular audit had been discussed with senior man-\n            agers. The OIG official said that there will be a follow-up on the discussion by in-\n            cluding a requirement in the updated Office of Audit Policy and Procedures Manual\n            that whenever an audit guide step is marked \xe2\x80\x9cNot Applicable,\xe2\x80\x9d the reason must be\n            stated in the audit documentation and signed off by a supervisor. The OIG official\n            further stated that \xe2\x80\x9cit will make clear that a \xe2\x80\x98Not Applicable\xe2\x80\x99 determination for steps\n            related to fraud risk assessment and internal control review should be rare.\xe2\x80\x9d\n\n              Finding 2. System of Quality Control \xe2\x80\x93 Updated Policy and Procedures\n            Manual\n\n                 We found that the Department of the Treasury OIG had established a system of\n            quality control, including the Office of Audit Policy and Procedures Manual; howev-\n            er, the Manual had not been updated to incorporate the changes in the Government\n            Auditing Standards July 2007 revision. An updated manual incorporating changes\n            in the Government Auditing Standards July 2007 revision has been drafted and is\n            pending final management approval. OIG officials said that final approval had been\n            delayed because of other priorities and a lengthy management review process.\n\n                Although the Office of Audit Policy and Procedures Manual had not been\n            updated since May 2006, the Department of the Treasury OIG has issued several\n            interim policies to ensure compliance with current requirements of Government\n\n\n4 .   OIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n    Auditing Standards. Also, current Government Auditing Standards requirements\n    have been incorporated into the procedures in the TeamMate library. Our review of\n    11 audit reports identified no significant instances of noncompliance with applicable\n    auditing standards.\n\n\n\n        Recommendation 2: Department of the Treasury OIG management should\n        finalize and issue the Office of Audit Policy and Procedures Manual incorpo-\n        rating changes contained in the Government Auditing Standards July 2007 revi-\n        sion.\n\n\n        In its response to the draft report, the Treasury OIG official concurred with the\n    finding and recommendation, stating that executive review and final approval of the\n    updated Office of Audit Policy and Procedures Manual had been delayed because of\n    \xe2\x80\x9cother pressing matters\xe2\x80\x9d but that the OIG plans to issue the Manual in final form by\n    December 31, 2009.\n\n\n\n\n         Harold W. Geisel, Acting Inspector General\n\n\n\n\nOIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009   5 .\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n6 .   OIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n                               RECOMMENDATIONS\n\n    Recommendation 1: Department of the Treasury OIG management should com-\n      ply with Government Auditing Standards and require audit teams to document\n      why the fraud risk assessment and internal control review are not applicable to a\n      performance audit when such is concluded.\n\n    Recommendation 2: Department of the Treasury OIG management should final-\n      ize and issue the Office of Audit Policy and Procedures Manual incorporating\n      changes contained in the Government Auditing Standards July 2007 revision.\n\n\n\n\nOIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009   7 .\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n8 .   OIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009\n\n\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n         Exhibit\n\n\n\n\nOIG Report No. AUD-10-12, System Review Report on the Department of Treasury OIG Audit Organization - Nov 2009   9 .\n\n\n                                            UNCLASSIFIED\n\x0cFRAUD, WASTE, ABUSE, OR MISMANAGEMENT\n              of Federal programs\n         and resources hurts everyone.\n\n       Call the Office of Inspector General\n                    HOTLINE\n                   202-647-3320\n                or 1-800-409-9926\n         or e-mail oighotline@state.gov\n      to report illegal or wasteful activities.\n\n              You may also write to\n           Office of Inspector General\n            U.S. Department of State\n              Post Office Box 9778\n              Arlington, VA 22219\n           Please visit our Web site at:\n               http://oig.state.gov\n\n        Cables to the Inspector General\n       should be slugged \xe2\x80\x9cOIG Channel\xe2\x80\x9d\n           to ensure confidentiality.\n\x0cUNCLASSIFIED\n\n\n\n\n UNCLASSIFIED\n\x0c"